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Abstract 

Wc describe a type system for a synchronous 7r-calculus formalising the notion of affine 
usage in signal-based communication. In particular, we identify a limited number of usages 
that preserve affinity and that can be composed. As a main application of the resulting 
system, we show that typable programs are deterministic. 

1 Introduction 

We are interested in synchronous systems. In these systems, there is a notion of instant 
(or phase, or pulse, or round) and at each instant each component of the system, a thread, 
performs some actions and synchronizes with all the other threads. One may say that all 
threads proceed at the same speed and it is in this specific sense that we shall refer to 
synchrony in this work. Signal-based communication is often used as the basic interaction 
mechanism in synchronous systems (see, e.g., [3 [6]). Signals play a role similar to channels 
in asynchronous systems. Our goal in this paper is to study the notion of affine usage in this 
context. In particular, we shall formalise our ideas in the context of a synchronous 7r-calculus 
(SV-calculus) introduced in [2]. We assume that the reader is familiar with the 7r-calculus and 
proceed to give a flavour of the language (the formal definition of the SV-calculus is recalled 
in section [2]) . 

The syntax of the Syr-calculus is similar to the one of the 7r-calculus, however there 
are some important semantic differences that we highlight in the following simple example. 
Assume v\ ^ v 2 are two distinct values and consider the following program in Stt: 

p = v Sl ,s 2 ( ~s~[v 1 | sTv 2 | si(x). (si(y). (s 2 (z). A(x,y) ,P(!si) ),0) ^0 ) 

If we forget about the underlined parts and we regard s±, s 2 as channel names then P could also 
be viewed as a 7r-calculus process. In this case, P would reduce to Pi = us\, s 2 (s 2 (z).A(9(x),9(y)) 
where 9 is a substitution such that 9(x),9(y) £ {t>i, ^2} and 9{x) 7^ 9(y). In Sir, signals persist 
within the instant and P reduces to P 2 = vs\,s 2 {s\v\ \ ~s~\v 2 \ (s 2 (z).A(9(x),9(y)), B(lsi))) 
where again 9(x),9(y) € {^1,^2} but possibly 9(x) = 9(y). What happens next? In the tt- 
calculus, Pi is deadlocked and no further computation is possible. In the STr-calculus, the fact 
that no further computation is possible in P2 is detected and marks the end of the current 
instant. Then an additional computation represented by the relation moves P2 to the 

following instant: P2 — » P 2 = vs\,s 2 B{v) where v £ {[v±; v 2 ], [v2',vi]}- Thus at the end 
of the instant, a dereferenced signal such as !si becomes a list (possibly empty) of (distinct) 
values emitted on si during the instant and then all signals are reset. 



We continue our informal discussion with an example of a 'server' handling a list of requests 
emitted in the previous instant on the signal s. For each request of the shape req(s',x), it 
provides an answer which is a function of x along the signal s' (the notation x > p is used to 
match a value x against a pattern p). The 'client' issues a request x on signal s and returns 
the reply on signal t. 



Let us first notice that a request contains a 'pointer', namely the name of the signal on 
which to answer the request. Then the 'folklore solution' of transforming a list of values 
into one value via an associative and commutative function does not work here. Indeed 
there seems to be no reasonable way to define an associative and commutative function on 
pointers. Instead, we look at Handle as a function from (a signal and) a list of requests to 
behaviours which is invariant under permutations of the list of requests. Note that to express 
this invariance we need a notion of behavioural equivalence and that this equivalence must 
satisfy the usual associativity and commutativity laws of parallel composition and must be 
preserved by parallel composition. 

These considerations are enough to argue that the Server is a 'deterministic' program. 
No matter how many clients will issue requests at each instant, the Server will provide an 
answer to each of them in the following instant in a way which is independent of the order 
of the requests. Let us now look at the Client. After issuing a request, the Client waits for 
a reply in the following instant. Clearly, if more than one reply comes, the outcome of the 
computation is not deterministic. For instance, we could have several 'Servers' running in 
parallel or a server could somehow duplicate the request. This means that the usage of the 
signal s must be such that many 'clients' may issue a request but at most one 'server' may 
handle them at the end of the instant in an 'affine' way. Further, on the client side, the return 
signal s' can only be used to read while on the server side it can only be used to emit. 

This preliminary discussion suggests the need for a formal analysis of the principles that 
allow to establish the determinacy of a synchronous program. This analysis will be obviously 
inspired by previous work on the foundations of linear logic [7] , on linear typing of functional 
programs (e.g., |14j). and on linear usages of channels (e.g., |10j). Following this line of works, 
the analysis presented in section [3] will take the form of a typing system. The previous section 
[21 will recall the formal definition of the 57r-calculus. In the final section first we shall 
introduce the properties of the typing system leading to a subject reduction theorem, and 
second we shall describe a suitable notion of typed bisimulation and show that with respect 
to this notion, typable programs can be regarded as deterministic. 

2 Definition of the ,S7r-calculus 

We recall the formal definition of the SV-calculus and its bisimulation based semantics while 
referring the reader to (2J [4] for a deeper analysis. This section is rather technical but to 
understand the type system described in the following section [3] there are really just two 
points that the reader should keep in mind: 

1. The semantics of the calculus is given by the labelled transition system presented in 
table [21 A reader familiar with a 7r-calculus with asynchronous communication can 



Server(s) 
Handle(s, £) 
Client(x, s, t) 



pause. Handlers, \s) 

[£ > cons(req(s',x),f )](Pf(x) | Handle(s, £')), Server (s) 
vs' (sreq(s',x) | pause. s'(x).tx, 0) . 
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understand these rules rather quickly. The main differences are (a) the rule for emitting 
a signal formalises the fact that a signal, unlike a channel, persists within an instant 
and (b) the rules that describe the computation at the end of the instant. 

2. The labelled transition system induces a rather standard notion of bisimulation equiv- 
alence (definition [1]) which is preserved by static contexts (fact [2]) Q In section [H we 
shall introduce a 'typed' definition of the bisimulation and show that with respect to 
this definition, typable programs are deterministic. 

2.1 Programs 

Programs P,Q, . . . in the S^-calculus are defined in table [TJ We use the notation m for a 
vector mi, . . . , m n , n > 0. The informal behaviour of programs follows. is the terminated 
thread. A(e) is a (tail) recursive call of a thread identifier A with a vector e of expressions 
as argument; as usual the thread identifier A is defined by a unique equation A(x) = P such 
that the free variables of P occur in x. se evaluates the expression e and emits its value on 
the signal s. s(x).P,K is the present statement which is the fundamental operator of the 
model PQ. If the values vi,...,v n have been emitted on the signal s then s(x).P, K evolves 
non-deterministically into [vi/x]P for some V{ ([_/-] is our notation for substitution). On the 
other hand, if no value is emitted then the continuation K is evaluated at the end of the 
instant. [s\ = S2]Pi,P2 is the usual matching function of the -/r-calculus that runs P\ if s\ 
equals S2 and P2, otherwise. Here both s\ and S2 are free, [u ^> p]Pi, P2, matches u against 
the pattern p. We assume u is either a variable x or a value v and p has the shape c(x), 
where c is a constructor and x is a vector of distinct variables. We also assume that if u is a 
variable x then x does not occur free in P\. At run time, u is always a value and we run 6 Pi 
if 6 = match(u,p) is the substitution matching u against p, and P2 if the substitution does 
not exist (written match(u,p) f). Note that as usual the variables occurring in the pattern 
p (including signal names) are bound in Pi. us P creates a new signal name s and runs 
P. (Pi I P2) runs in parallel Pi and P^. A continuation K is simply a recursive call whose 
arguments are either expressions or values associated with signals at the end of the instant in 
a sense that we explain below. We shall also write pause. K for vs s(x).0,K with s not free 
in K. This is the program that waits till the end of the instant and then evaluates K. 

2.2 Expressions 

Expressions are partitioned in several syntactic categories as specified in table [TJ As in the 
7r-calculus, signal names stand both for signal constants as generated by the v operator and 
signal variables as in the formal parameter of the present operator. Variables Var include 
signal names as well as variables of other types. Constructors Cnst include *, nil, and cons. 
Values Val are terms built out of constructors and signal names. Patterns Pat are terms 
built out of constructors and variables (including signal names). If P,p are a program and 
a pattern then we denote with fn(P),fn(p) the set of free signal names occurring in them, 
respectively. We also use FV(P), FV(p) to denote the set of free variables (including signal 
names). We assume first-order function symbols f,g,... and an evaluation relation JJ. such 
that for every function symbol / and values vi, . . . , v n of suitable type there is a unique value 

As a matter of fact the labelled transition system is built so that the definition of bisimulation equivalence 
looks standard [4]. 
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K 

Sig 

Var 

G'nst 

Val 

Pat 

Fun 

Exp 

Rexp 



0\A(e)\se\s(x).P,K\\ 

[si = s 2 ]P 1 ,P 2 | [u > p]Pi,P 2 | fa P | A | A 
A(r) 
s 1 1 1 ■ • ■ 

5»» II * II y I * II ■ ■ ■ 

* I nil | cons || c || d || - - - 
Sig I Cnst{Val, . . . , Val) 
Cnst( Var, . . . , Var) 
f II 9 II • • • 

Var I Cnst(Exp, .... Exp) \\ Fun(Exp, . . . , Exp) 
\Sig | Var || Cnst(Rexp, . . . , Rexp) || 
Fun(Rexp, . . . , Rexp) 



(programs) 



(continuation next instant) 

(signal names) 

(variables) 

(constructors) 

(values v, v' , . . .) 

(patterns p,p' , . . .) 

(first-order function symbols) 

(expressions e, e', . . .) 



(exp. with deref. r,r' , . . .) 



Table 1: Syntax of programs and expressions 



v such that f(v±, . . . ,v n ) JJ. v and fn(v) C Uj=i n f n ( v i)- Expressions Exp are terms built 
out of variables, constructors, and function symbols. The evaluation relation JJ- is extended in 
a standard way to expressions whose only free variables are signal names. Finally, Rexp are 
expressions that may include the value associated with a signal s at the end of the instant 
(which is written !s, following the ML notation for dereferenciation) . Intuitively, this value is 
a list of values representing the set of values emitted on the signal during the instant. 

The definition of a simple type system for the Syr-calculus can be extracted from the more 
elaborate type system presented in section [3] by confusing 'set-types' with 'list-types' and by 
neglecting all considerations on usages. 

2.3 Actions 

The syntactic category act of actions described in table [5] comprises relevant, auxiliary, and 
nested actions. The operations fn (free names), bn (bound names), and n (both free and 
bound names) are defined as in the 7r-calculus [T3] . 

The relevant actions are those that are actually considered in the bisimulation game. They 
consist of: (i) an internal action r, (ii) an emission action vt ~sv where it is assumed that the 
signal names t are distinct, occur in v, and differ from s, (hi) an input action sv, and (iv) an 
action N (for Next) that marks the move from the current to the next instant. 

The auxiliary actions consist of an input action s?v which is coupled with an emission 
action in order to compute a r action and an action (E, V) which is just needed to compute 
an action N. The latter is an action that can occur exactly when the program cannot perform 
r actions and it amounts to (i) collect in lists the set of values emitted on every signal, (ii) 
to reset all signals, and (iii) to initialise the continuation K for each present statement of the 
shape s(x).P, K. 

In order to formalise these three steps we need to introduce some notation. Let E vary 
over functions from signal names to finite sets of values. Denote with the function that 
associates the empty set with every signal name, with [M/s] the function that associates the 
set M with the signal name s and the empty set with all the other signal names, and with U 
the union of functions defined point-wise. 

We represent a set of values as a list of the values belonging to the set. More precisely, 
we write v \\—M and say that v represents M if M = {v±, . . . , v n } and v = [v^ny, ■ ■ ■ ; v^r n y\ 
for some permutation ir over {1, . . . , n}. Suppose V is a function from signal names to lists 
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of values. We write V \\—E if V(s) \\—E(s) for every signal name s. We also write dom(V) for 
{s | V(s) 7^ []}. If K is a continuation, i.e., a recursive call A(r), then V(K) is obtained from 
If by replacing each occurrence Is of a dereferenced signal with the associated value V(s). 
We denote with V[^/s] the function that behaves as V except on s where V[£/s](s) = I. 

With these conventions, a transition P - ' ^> P 1 intuitively means that (1) P is suspended, 
(2) P emits exactly the values specified by E, and (3) the behaviour of P in the following 
instant is P' and depends on V. It is convenient to compute these transitions on programs 
where all name generations are lifted at top level. We write P >z Q if we can obtain Q from 
P by repeatedly transforming, for instance, a subprogram vsP' \ P" into us(P' \ P") where 
s£fn(P"). 

Finally, the nested actions fJ,,fJ,', ■ ■ ■ are certain actions (either relevant or auxiliary) that 
can be produced by a sub-program and that we need to propagate to the top level. 

2.4 Labelled transition system and bisimulation 

The labelled transition system is defined in table [2] where rules apply to programs whose 
only free variables are signal names and with standard conventions on the renaming of bound 
names. As usual, one can rename bound variables, and symmetric rules are omitted. The first 
12 rules from (out) to (v ex ) are quite close to those of a polyadic 7r-calculus with asynchronous 
communication (see [EJ[3]) with the following exception: rule (out) models the fact that the 
emission of a value on a signal persists within the instant. The last 5 rules from (0) to (next) 
are quite specific of the SV-calculus and determine how the computation is carried on at the 
end of the instant (cf . discussion in 12 .3|) . 

We derive from the labelled transition system a notion of (weak) labelled bisimulation. 

First define =>■ as (—*)* if a = r, (=5*) o ( — >) if a = N, and (=5-) o (-^») o (=>) otherwise. 
This is the standard definition except that we insist on not having internal reductions after 
an N action. Intuitively, we assume that an observer can control the execution of programs 
so as to be able to test them at the very beginning of each instant. We write P —> ■ for 
3P' (P^P'). 

Definition 1 (labelled bisimulation) A symmetric relation 1Z on programs is a labelled 
bisimulation if PTZQ, P ^ P', bn(a) (~)fn(Q) = implies 3 Q< ( Q ^ Q', P'KQ' ). We 
denote with ~ the largest labelled bisimulation. 

Fact 2 (j4j) Labelled bisimulation is preserved by parallel composition and name generation. 

3 An affine type system 

An analysis of the notion of determinacy carried on in [3], along the lines of [12], suggests 
that there are basically two situations that need to be analysed in order to guarantee the 
determinacy of programs. (1) At least two distinct values compete to be received within an 
instant, for instance, consider: svi \ SV2 \ s(x).P,K. (2) At the end of the instant, at least 
two distinct values are available on a signal. For instance, consider: sv% \ ~s~V2 \ pause. A(\s). A 
sensible approach is to avoid completely the first situation and to allow the second provided 
the behaviour of the continuation A does not depend on the order in which the values are 
collected. Technically, we consider a notion of affine signal usage to guarantee the first 
condition and a notion of set type for the second one. While this is a good starting point, 
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act 


::= Q 1 aux 


(actions) 


a 


::= t 1 vt sv 1 sv | N 


(relevant actions) 


aux 


::= s?d 1 (E, V) 


(auxiliary actions) 


/' 


::= t | vt sv J s?u 


(nested actions) 



(out) 



se — > se 



(in) 



p ^ (p | sv) 



[s = s]Pi,P 2 ^>Pl 



md match(v,p) = 9 

1 1 ' [v>p]P 1 ,P 2 ^eP 1 



(comp) 



PiAPj 1 bn(y) D fn(P 2 ) = 
Pi I P 2 A P/ I P 2 



P A P' t ^ n(^) 
vtP ^>vt P' 



(cont) 



(0) 

^ 



s ^ rfom(V) 
s(;r).P,if V(K) 



( iflaux ) 

(rec) 

(=f) 



s(x).P,K ^> [v/ar]P 

4(x) = P, e 4 v 
^(e) A [v/x]P 

Si ^ S 2 

[si = S 2 ]Pl,P 2 ^ P 2 



md match(v,p) =| 

1 1 j [«>p]Pi,P 2 ^>P 2 

Pi jl^ p , P 2 ^XP^ 
(sj/nc/i) {t} n/n(P 2 ) = 

Pi | P 2 A vt (Pi | P0 

P p' f ^ s t > e n(w)\{t} 



(reset) 
(par) - 



^' p _^ — p' 



e JJ. u v occurs in V(s) 
se 



p£^P/ i = i )2 



(Pi I P 2 ) glUfi2 ' V » (Pi I P 2 ) 



(next) 



P^vsP' V\\-E P'^Up" 
P^vs P" 



Table 2: Labelled transition system 
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it falls short of providing a completely satisfying answer because the type constructions do 
not compose very well. Then our goal is to discover a collection of signal usages with better 
compositionality properties. The outcome of our analysis are three new kinds of usages (kinds 
3 - 5 in table©. 

3.1 Usages 

In first approximation, we may regard a usage as an element of the set L = {0, 1, oo} with the 
intuition that corresponds to no usage at all, 1 to at most one usage, and oo to any usage. 
We add usages with a partial operation © such that 0ffia=a©0=a and oo © oo = oo, 
and which is undefined otherwise (note in particular that 1 © 1 is undefined). The addition 
induces an order by a < 6 if 3 c a © c = 6. With respect to this order, is the least element 
while 1 and oo are incomparable. If a > b then we define a subtraction operation a © b as the 
largest c such that a = 6 © c. Therefore: a 8 = a, 101 = 0, and oo oo = oo. 

This classification of usages is adequate when handling purely functional data where the 
intuition is that data with usage 1 have at most one pointer to them [14]. However, when 
handling more complex entities such as references, channels, or signals it is convenient to take 
a more refined view. Specifically, a usage can be refined to include information about whether 
a signal is used: (i) to emit, (ii) to receive during the instant, or (hi) to receive at the end 
of the instant. Then a usage becomes an element of L 3 . Among the 27 possible usages of 
the shape (a, b, c) for a, b, c G L, we argue that there are 5 main ones as described in table [3] 
(left part). First of all, we must have a ^ and (i / V c / 0) since a signal on which we 
cannot send or receive has no interest. Now if a = oo then we are forced to take 6 = since 
we want to preserve the determinacy. Then for c = oo we have the usage e\ and for c = 1 
we have the usage e^. Suppose now a = 1. One choice is to have b = c = oo and then we 
have the usage &2- On the other hand if we want to preserve affinity then we should receive 
the emitted value at most once. Hence we have b = 0,c = 1 or b = l,c = which correspond 
to the usages e^ and es, respectively. From these 5 main usages within an instant, we obtain 
the derived ones (see again table [3]) by simply turning one or more l's to 0's. We only add, 
subtract, compare usages in L 3 that are derived from the same main usage. 

In a synchronous framework, it makes sense to consider how usages vary over time. The 
simplest solution would be to look at signal usages of the shape i u , i £ I 3 , which are invariant 
under time. However, to reason effectively on programs, we are led to consider signal usages 
of the shape xy^ where x, y G L 3 are derived from the same main usage. 

The reader may have noticed that in this discussion we have referred to increasingly 
complex 'usages' varying over L, L 3 , and (L 3 ) w . Henceforth a signal usage belongs to (L 3 ) 1 ^. 
Usages are classified in 5 kinds as showed in table [3j H 

We denote with U the set of all these usages and with U(i) the set of usages of kind i, 
for i = 1, ... ,5. We consider that the addition operation © is defined only if u,u' G U(i) 
and u © u' G U(i) for some i G {1, . . . , 5}. Similar conventions apply when comparing and 
subtracting usages. If u G U then f u, the shift of u, is the infinite word in U obtained from u 
by removing the first character. This operation is always defined. If u is a signal usage, then 
u(i) for i > denotes its i th character and u(i)j for j G {1, 2, 3} the j component of u(i). 

We classify the usages according to 3 properties: affinity, uniformity, and preservation of 
affinity. We say that a usage is affine if it contains a T' and non-affine otherwise. We also 

2 The fact that, e.g., (1, 0, 0) occurs both in the usages of kind 4 and 5 is a slight source of ambiguity which 
is resolved by assuming that the kind of the usage is made explicit. 
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main 


usages 


derived usages 


xy" 6 U{i) is 


affine 


uniform 


aff. preserving 


ei = 


(oo, 0, oo) 




i = 1 


no 


yes 


no 


e2 = 


(1, oo, oo) 


(0, 00, 00) 


i = 2 


yes /no 


yes/no 


no 




(00,0,1) 


(oo,0,0) 


i = 3 


yes /no 


yes/no 


yes 


' - = 


(1,0,1) 


(1,0,0), (0,0,1), (0,0,0) 


i = 4 


yes /no 


yes/no 


yes 


e 5 = 


(1,1,0) 


(1,0,0), (0,1,0), (0,0,0) 


i = 5 


yes /no 


yes/no 


yes 



Table 3: Usages and their classification 

say that it is uniform if it is of the shape x u and that it is neutral if it is the neutral element 
with respect to the addition © on the set of usages U(i) to which it belongs. It turns out that 
the non-affine signal usages are always uniform and moreover they coincide with the neutral 
ones. Finally, by definition, the usages in the sets U(i) for i = 3, 4, 5 are affine preserving 
The classification is summarised in the table [3] (right part). 

3.2 Types 

In first approximation, types are either inductive types or signal types. As usual, an inductive 
type such as the type List (a) of lists of elements of type a is defined by an equation List(o~) = 
nil I cons of a, List(o~) specifying the ways in which an element of this type can be built. 

In our context, inductive types come with a usage x which belongs to the set {l,co} 
and which intuitively specifies whether the values of this type can be used at most once or 
arbitrarily many times (once more we recall that 1 and 00 are incomparable). To summarise, 
if o"i, . . . ,<7fc are types already defined then an inductive type C x {a\, . . . , a^) is defined by case 
on constructors of the shape c of a{,...,a' m where the types cr'-, j = 1, . . . , m are either one 
of the types o"j, i = 1, . . . , n or the inductive type C x {. . .) being defined. There is a further 
constraint that has to be respected, namely that if one of the types <7j is 'affine' then the 
usage x must be affine preserving, i.e., x = 1. An affine type is simply a type which contains 
an affine usage. The grammar in table [4] will provide a precise definition of the affine types. 

When collecting the values at the end of the instant we shall also need to consider set types. 
They are described by an equation Set x (a) = nil | cons of a, Set x (a) which is quite similar to 
the one for lists. Note that set types too come with a usage x £ {l,oo} and that if a is an 
affine type then the usage x must be affine preserving. The reader might have noticed that 
we take the freedom of using the constructor nil both with the types List u (o~) and Set u (a), 
u £ {l,oo}, and the constructor cons both with the types (a, List u (a)) — > List u (a) and 
(a, Set u (o~)) — > Set u {a). However, one should assume that a suitable label on the constructors 
will allow to disambiguate the situation. 

Finally, we denote with Sig u (o~) the type of signals carrying values of type a according to 
the signal usage u. As for inductive and set types, if a is an affine type then the signal usage 
u must be affine preserving. To formalise these distinctions, we are lead to use several names 
for types as specified in tabled! We denote with k non-affine (or classical) types, i.e., types 
that carry no affine information. These types have a uniform usage. We denote with A affine 
and uniform types. The types a, a', . . . stand for types with uniform usage (either non-affine 
or affine). Finally, the types p,p',... include all the previous ones plus types that have a 
non-uniform usage. We notice that classical uniform types can be nested in an arbitrary way, 
while affine uniform types can only be nested under type constructors that preserve affinity. 
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Moreover, types with non-uniform usages (either classical or afhne) cannot be nested at alio 
The partial operation of addition © is extended to types so that: Op Ul (a) © Op U2 (a) = 
Op Ul ^ U2 (cr), where Op can be C, Set, or Sig, and provided that U\ © 112 is defined. For 
instance, List\(X) © List\(X) is undefined because 1 © 1 is not defined. 

A type context (or simply a context) T is a partial function with finite domain dom(T) from 
variables to types. An addition operation T\ ©1^ on contexts is defined, written (Ti ©r^) j, 
if and only if for all x such that V\(x) = pi and ^(x) = P2, the type pi © P2 is defined. The 
shift operation is extended to contexts so that (| T)(x) = Sig^ u ^(a) if T(x) = Sig u (a) and 
(f T)(x) = r(x) otherwise. We also denote with T,x : a the context T extended with the pair 
x : a (so x ^ dom(T)). We say that a context is neutral [uniform) if it assigns to variables 
neutral (uniform) types. 

3.3 Semantic instrumentation 

As we have seen, each signal belongs to exactly one of 5 kinds of usages. Let us consider 
in particular the kind 5 whose main usage is e§. The forthcoming type system is supposed 
to guarantee that a value emitted on a signal of kind 5 is received at most once during an 
instant. Now, consider the program ~st \ s(x).x,0 and attribute a usage to the signals s 
and t. According to this usage this program should be well typed. However, if we apply 
the labelled transition system in table [21 this program reduces to (st \ t) which fails to be 
well-typed because the double occurrence of t is not compatible with an affine usage of t. 
Intuitively, after the signal s has been read once no other synchronisation should arise during 
the instant either within the program or with the environment. To express this fact we proceed 
as follows. First, we instrument the semantics so that it marks (underlines) the emissions on 
signals of kind 5 that have been used at least once during the instant. The emission has no 
effect on the labelled transition system in the sense that se behaves exactly as se. 

e JJ- v e ^ v e ij- v v occurs in V(s) 
(out) _ s V _ (out) _ sv _ ( reset ) {{v}/s],v ~ 
se — > se se — > se se > 

On the other hand, we introduce a special rule ( out ) to type se which requires at least a 
usage (1, 1,0) • (0,0, 0) w for the signal s while neglecting the expression e. By doing this, we 
make sure that a second attempt to receive on s will produce a type error. In other terms, if 
typing is preserved by 'compatible' transitions, then we can be sure that a value emitted on 
a signal of kind 5 is received at most once within an instant. 

3.4 Type system 

The type system is built around few basic ideas. (1) Usages including both input and output 
capabilities can be decomposed in simpler ones. For instance, (1,1, 0)^ = (1, 0, 0)(0, 1, 0)^ © 
(0, 1, 0)(1, 0, 0) w . (2) A rely-guarantee kind of reasoning: when we emit a value we guarantee 
certain resources while when we receive a value we rely on certain resources. (3) Every affine 
usage can be consumed at most once in the typing judgement (and in the computation). 

3 What's the meaning of sending a data structure containing informations whose usage is time-dependent? 
Is the time information relative to the instant where the data structure is sent or used? We leave open the 
problem of developing a type theory with usages more complex than the ones of the shape xy w considered 
here. 
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When formalising the typing judgements we need to distinguish the typing of an expression 
e from the typing of an expression with dereferenciation r and the typing of a recursive call 
A(e\, . . . , e n ) from the typing of a recursive call at the end of the instant A(r\, . . . , r n ). To 
do this we shall write [r] rather than r and [-A(n, . . . , r n )] rather than A(r\, . . . , r n ). 

We shall consider four typing judgements: T h e : p, T h [r] : p, T h P, and T h 
[-A(ri, . . . ,r n )], and we wish to refer to them with a uniform notation T \- U : T. To this 
end, we introduce a fictious type Pr of programs and regard the judgements V \- P : Pr and 
r h [A(r*i, . . . , r n )] : Pr as an expansion of V h P and T h L4(ri, . . . , r n )], respectively. Then 
we let J7 stand for one of e, [r], P, [A(r±, . . . , r n )}, and T for one of p, Pr. 

We assume that function symbols are given non-afhne types of the shape («i, . . . , K n ) — ► re. 
We denote with /c either a constructor or a function symbol and we assume that its type is 
explicitly given. 

The typing rules are given in table [H We comment first on the typing rules for the 
expressions. We notice that the arguments and the result of a constructor or a function symbol 
have always a uniform type. The rules (Iset) and (^List) describe the type of a dereferenced 
signal following its usage. If the usage is of kind 1 then the list of values associated with the 
signal at the end of the instant must be treated as a set, if the usage is of kind 2 then we 
know that the list of values contains at most one element and therefore its processing will 
certainly be 'order-independent', if the usage is of kind 3 then the list may contain several 
values and it must be processed as an affine set, finally if the usage is of kind 4 (the usage of 
kind 5 forbids reception at the end of the instant) then again the list of values will contain 
at most one element so we can rely on an affine list type. 

Notice the special form of the rule [var s i g ]. The point here is that in a recursive call 
K = A(\s, s) at the end of instant, we need to distinguish the resources needed to type !s 
which should relate to the current instant from the resources needed to type s which should 
relate to the following instants. For instance, we want to type K in a context s : Sig u (a) 
where u = (0,0, l) u . This is possible because we can decompose u in u\ ® U2, where u\ = 
(0, 0, 1)(0, 0, 0) w and U2 = (0, 0, 0)(0, 0, l) w , and we can rely on u\ to type [Is] and on U2 to 
type [s] (by [varsig]). 

A set-type is a particular case of quotient type and therefore its definition goes through 
the definition of an equivalence relation ~ p on values. This is defined as the least equivalence 
relation such that s ^sig u {a) s > c ~C(<t) c > if c is a constant of type C(a), and 

c(«i, . . . ,v n ) ~c u ( CT1 ,..., CT „) c(ui, . . . ,u n ) if «i Ui for i = 1, . . . , n 

[vi; . . . ; v n ] ~ S et u (cr) [ui; . . . ; u m ] if ■ • ■ ,v n } ~srf u ( CT ) {m, • ■ ■ ,u m }, 

where: {vi, . . . , v n } ~get„(cr) {ui, ■ ■ ■ , u m } if for a permutation tt, Vi ~ CT . 

Furthermore, we assume that each function symbol /, coming with a (classical) type 
(ki, . . . ,n n ) — > k, respects the typing in the following sense: (1) if V{ Ui, i = 1, ... ,n, 
f(vi,...,v n ) ij. v and f(ui,...,u n ) ij. u then v ~ K u. (2) If T h f{v\,...,v n ) : k and 
• • • , v n ) J), v then V h v : K. 

Finally, we turn to the typing of programs. We assume that each thread identifier A, 
defined by an equation A(x\, . . . , x n ) = P, comes with a type (<7i , . . . , a n ). Hence we require 
these types to be uniform. We also require that A has the property that: (i) if Vi ~ (Ti Ui for 
i = 1, . . . , n then A(v±, . . . , v n ) w A(u\, . . . , u n ) and (ii) x\ : o\, . . . , x n : a n h P is derivable. 

We also suppose that generated signals names are explicitly labelled with their types as 
in vs : p P. The labelled transition system in table [2] is adapted so that the output action 
carries the information on the types of the extruded names. This type is lifted by the rule 
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K 


::= Coo(k) 1 Setooin) | Sig u (n) 


(w neutral) 


A 


::= Ci(«r)|5eti(«T)|%„(K)|%„(A) 


(it affine and uniform, i; aff.-pres. 






and uniform) 


a 


::= K 1 A 


(uniform types) 


9 


::= cr 1 Sig u {n) || 5ip„(A) 


(v amne-preserving) 



. . u>u' Ope{Sig,Set,C} .,. , . Fl h &l ' , ' i' , 

w ~ n — f \ u n I \ ( fc fc : (ai,...,q n fc = / or fc = c 



[varc] 



T © Ti © ■ ■ ■ T„ h fc(ei, . . . , e n ) : a 

Op = C Op = Set , , y" > u 

r,x:0 Pu (a)\-[x]:Op u (a) 1 S19j T,s : Sig xyU (a) h [s] : Signer) 

Ti h [n] : <Ti i = 1, .. . ,n 
[fc] fc : (<7i , . . . , <T n ) — ► a k = f or fc = c 

roffiriffi---©r„i- [fc(n,...,r n )] fa 

(w(0) > (oo, 0, oo) A x = oo) V (u(0) > (0, oo, oo) A x = oo) V 

(m(0) > (oo,0,l) A x = 1) [! Llst ] (u(0) > (0,0,1) A a: = 1) 

T, a : Sig u (a) h [!s] : Setter) I\ s : Sig u (a) h [!«] : Lm*.^) 

Ti h s : S» 5lt (ff) u(0)i ^ 
(0) "YhF ( ° M£) r 2 he:a 



) T 2 h se 



r „ . c,„ M h p I\ h s : 5^ (tr) u(0) 2 / 

'' 7 V p (m) r 2)a;:o -r-p (r 1 er 2 )h[A(r)] 

r h z^s : Sig u {a) P — 



(ri©r 2 )r-s(x).P,A(r) 



si, 82 € rfom(r) 

(ms) r F ^ Pl 'Tp'p (mc) (£; r 2 ) h p 2 



c : (cti, . . . , (j n ) > cr ri h u : a 
T 2 ,Xi : ai, . . . ,x n '■ cr„ \- Pi 



ri©r 2 h [uf>c(x 1 ,...,x n )]p 1 ,p 2 



r, h p, 1 = 1,2 



(.CI, 



(par) rierUAlK (rec) r ^ e -^ i = 1 - 



ri0"-®r„i-A(ei, 



(«,*) rh a : % >) u(o )= (i,i,o) ra^g 

r h se b — ; 



rie---er n r- [A(n, 



Table 4: Affine type system 
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(next) so that, e.g., us : p s.O, A(s) — ► us :| p A(s). 

Example 3 With reference to the example of client-server in section [H assume an induc- 
tive (non-affine) type D of data. Let a\ = Sig Ul (D) where u\ = (1,0, 0) w be the type 
of the signals on which the server will eventually provide an answer. Let Reqi(a\, D) = 
req of a r ,D be the type of requests which are pairs composed of a signal and a datum. 
Let a se t = Seti(Reqi(a\, D)) be the type of the set of requests issued by the clients. Let 
a = Sig u (Req±(cri, D)) with u = (oo,0, l) w be the type of the signal on which the server gets 
the requests and a' = Sig u i(Reqi(a\,D)), with v! = (cxd,0, 0) w , the related type of the signal 
on which the clients send the requests. Finally, let at = Sig u (D) be the type of the signal on 
which the client sends the received answer (with a suitable usage u). Then we can type Server 
and Client as follows: Server : (a), Handle : (a,a se t), and Client : (D,a',a t ). 

Remark 4 In a practical implementation of the type system, one can expect the programmer 
to assign a kind (1 — 5) to each signal and let the system infer a minimum usage which is 
compatible with the operations performed by the program. 

4 Results 

We start by stating the expected weakening and substitution properties of the type system. 

Lemma 5 (weakening) IfY\~U:T and (Y © Y') { then (Y © Y') h U : T. 

Lemma 6 (substitution) // Y, x : p h U : T, Y' h v : p, and (Y © Y') [ then (Y © T) h 
[v/x]U : T. 

Next we specify when a context Y is compatible with an action act, written (r, act) j. 
Recall that V and E denote a function from signals to finite lists of distinct values and finite 
sets of values, respectively. If V(s) = [v i ; . . . ; v n ] then let (V\E)(s) = {v i, . . . , v n }\E(s). 
Then define a program P(y\E) as the parallel composition of emissions sv such that v G 
(V\E)(s). Intuitively, this is the emission on an appropriate signal of all the values which are 
in V but not in E. We also let Py stand for P(y\Hi) where 0(s) = for every signal s. 

Definition 7 With each action act, we associate a minimal program P a ct that allows the 
action to take place: 

if act — t or act = N 

p _ sv if act = sv or act = s?v 

act | s(x).0, if act = sv 

, P V \ E ifact=(E,V) 

Definition 8 (compatibility context and action) A context Y is compatible with an ac- 
tion act, written (Y, act) j, if BY' (Y © Y') [ and Y' h Pact- 

We can now introduce the concept of typed transition which is a transition labelled with 
an action act of a program typable in a context Y such that Y and act are compatible. 

Definition 9 (typed transition) We write P Q (P =f Q) if: (1) Y h P, (2) 

(Y, act) I, and (3) P Q (P ^> Q, respectively) . 
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Next, we introduce the notion of residual context which is intuitively the context left after 
a typed transition, (the definition for the auxiliary actions is available in appendix lB.5|) . First, 
we notice that given a (uniform) type a and a value v we can define the minimum context 
A(v,a) such that A(v,a) h v : a. Namely, we set A(s, a) = s : a and A(c(ui, . . . , v n )) = 
A(vi, o"i) © • • • © A(v n , a n ) if c : (ax, . . . , a n ) —> a. Notice that A(v, a) is the empty context 
if fn{v) = and it is a neutral context if a is non-affine. 

Definition 10 (residual context) Given a context V and a compatible and relevant action 
a, the residual context T(a) is defined as follows: 



T(a) 



r if a = r 

T r ifa = N 

(r, t : a') A(v : a') © {s : Sig U5 (a')} if F{s) = Sig u {a'),a = vt : cr'sv, (1) 

T © A{v, a') © {s : Sig Uout (</)} if T(s) = Sig u {cT'), a = sv, (2) 



fij Us = (0, 1,0) • (0,0,0)^ if u € U(5) and it is neutral otherwise (i.e., u € U(2)). (2) u out 
is the least usage of the same kind as u which allows to perform an output within the instant 
(always defined). 

The notion of residual context is instrumental to a precise statement of the way transitions 
affect the typing. First we notice that the type of expressions is preserved by the evaluation 
relation. 

Lemma 11 (expression evaluation) IfT\~e:p and e JJ. v then V h v : p. 

The following lemma records the effect of the substitution at the end of the instant. 

Lemma 12 (substitution, end of instant) (1) If T h [A(r)}, T' h P v , and (T © T') [ 

then T (r©r') h V(A(r)). 

(2) // moreover there are V, E such that V, V \\-E then V(A(r)) w V'(A(r)). 

Finally, the subject reduction theorem states that the residual of a typed transition is 
typable in the residual context (again, the residual context on auxiliary actions is defined in 
appendix IB. 5p . 

Theorem 13 (subject reduction) If P a< ^ > Q then T(act) h Q. 

Next we introduce a notion of typed bisimulation which refines the one given in definition 
Q] by focusing on typed processes and typed transitions. Let Cxt be the set of contexts and if 
r € Cxt let .Pr(r) be the set of programs typable in the context T. 

Definition 14 (typed bisimulation) A typed bisimulation is a function TZ indexed on 
Cxt such that for every context V, TZ? is a symmetric relation on Pr(T) such that: P TZr Q, 
P P', bn(a)nfn{Q) = implies 3Q' ( Q |> Q' , P> U v{a) Q' ). We denote with 

the largest typed labelled bisimulation. 



An expected property of typed bisimulation is that it is a weaker property than untyped 
bisimulation: if we cannot distinguish two processes by doing arbitrary actions we cannot 
distinguish them when doing actions which are compatible with the typing. 
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Proposition 15 IfP,Q£ Pr(T) and P « Q then P Q. 



We write P ~> Q if P — — > Q or P = Q. The following lemma states a strong commutation 
property of typed t actions and it entails that typed bisimulation is invariant under r-actions. 

Lemma 16 (1) If P — > Pi for £ = 1,2 i/ien i/iere is a Q such Pi Q for i = 1,2. 
(2) IfPj^Q then P «f Q. 

The second key property is that the computation at the end of the instant is deterministic 
and combining the two lemmas, we derive that typable programs are deterministic. 

Lemma 17 If P — ^ Pj /or £ = 1,2 i/ien Pi ~*( r ) ^2- 

Theorem 18 (determinacy) If P 4 • 4 • • • 4 P<, £ = 1, 2, T' =| T i/ien P x w*, P 2 . 

5 Conclusion 

The main contribution of this work is the identification of 5 kinds of usages in signal-based 
communication and of the rules that allow their composition while preserving determinacy. 
This goes well-beyond previous analyses for ESTEREL-like languages we are aware of that are 
essentially 'first-order' in the sense that signals are not treated as first-class values. Techni- 
cally, we have shown that a typable process P is deterministic. This result builds on previous 
work by the authors [21 [4] on a mathematical framework to reason about the equivalence of 
programs which is comparable to the one available for the 7r-calculus. 
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A Typing examples 

We consider two examples that are part of the folklore on synchronous programming (see, 
e-ff-, [H]) and a third one that suggests that a certain form of single- assignment reference can 
be modelled in our framework. 

Example 19 (cell) We describe the behaviour of a generic cell that might be used in the 
simulation of a dynamic system. Each cell relies on three parameters: its state q, its own 
activation signal s, and the list t of activation signals of its neighbours. The cell performs 
the following operations in a cyclic fashion: (i) it emits its current state along the activation 
signals of its neighbours, (ii) it waits till the end of the current instant (pause,), and (in) it 
collects the values emitted by its neighbours and computes its new state. 

Cell(q,s,£) = Send(q,s,£,£) 

Send{q,s,£,t') = [£' \> cons(s' , £")] (Vq \ Send(q,s, £,£")), 

pause. Cell(next(q, \s), s, £) 

where next is a function that computes the following state of the cell according to its 
current state and the state of its neighbours. Assuming that the function next is invariant 
under permutations of the list of states, we would like to show that the evolution of the 
simulation is deterministic. To express this invariance, a natural idea is to treat the 'list' of 
distinct states as a 'set', i.e., as a list quotiented by a relation that identifies a list with any 
of its permutations. 

We now turn to the typing. Assume an inductive (non-affine) type State to represent 
the state of a cell and let a = Sig u (State) where u = (00,0,00)^ and a' = List OQ (a). Then 
we can require: Cell : (State, a, a') and Send : (State, a, a' , a'). Because, the usage of the 
signals under consideration is (00, 0, oo) w , the type of their dereferenciation is Setoo(State) 
and therefore we must require next : (State, Setoo(State)) — > State, which means that the result 
of the function next must be invariant under permutations of the list of (distinct) states. 

Example 20 (synchronous data flow) We provide an example of synchronous data-flow 
computation. The network is described by the program 

VS 2 ,S 3 ,S4,S 5 ( A(si,S2,S 3 ,S4) | B(s 2 , s 3 , s s , se) I C(s 4 ,s 5 ) ) 

{A(s 1 ,s 2 ,s 3 ,s 4 ) = s 1 (x).(s5f(x) I s 3 (y).(si~g(y) | pause.A(si, s 2 , s 3 , S4)), 0), 
B(s2, S3, s s , s 6 ) = s 2 (x).(s 3 ~i(x) I s 5 (y).(sEl{y)) \ pause._B(s 2 , s 3 , s 5 , s 6 )), 0), 
C{si,s 5 ) — S4,(x).(~sEh(x) \ pause. C(s4, S5)), 

Assuming that at each instant at most one value is emitted on the input signal s\, we would 
like to show that at each instant at most one value will be emitted on every other signal. This 
example suggests that we should introduce a notion of afhne usage in signals. 
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We now turn to the typing. We assume an inductive type D o/data and let a = Sig u {D), 
o~i = Sig Ul (D), and oo = Sig UQ (D), where: u = (1,1, 0) w , uj = (0,1, 0)^, and uo = 
(1,0, 0) u . Then we can require: A : (aj, ao, o~i, ctq), B : (aj,ao,crj,ao), and C : (07, <7o)- 
The restricted signals S2, ■ ■ ■ , S5 take the type a and the overall system is well-typed with respect 
to the context S\ : 07, sg : o~o- 

Remark 21 (affinity vs. linearity) With reference to the dataflow example \2(A one may 
notice that the type system guarantees determinacy by making sure that at every instant at 
most one value is emitted on every signal. One could consider a more refined type system that 
guarantees that exactly one value is emitted on a signal at every instant^ However, to obtain 
this system it is not enough to require that all linear hypotheses in the context are used in the 
typing. For instance, consider: us,s' : a(A(s,s') \ A(s',s)) where: a = Sign ing, A : (a, a), 
and A(s,s') = sQ.(s' | pause. A(s, s')), A(s, s'). This program could be linearly typed but it 
is stuck at every instant. Following previous work (see, e.g., f^), one way to address this 
problem is to partition signals in a finite set of regions and to order them. Then one designs 
typing rules that require that a reception on a signal belonging to a given region only guards 
(prefixes) emissions on signals belonging to higher regions. 

Example 22 (single-assignment references) We introduce a kind of single-assignment 
references that allow for a shared memory among different threads while preserving determi- 
nacy. For simplicity, we look at references on some basic inductive type k. The three basic 
operations are: (1) newref (s, e) P creates a reference s whose scope is P and assigns it the 
value resulting from the evaluation of e; (2) read(s,x).P reads the value v contained in the 
reference s and runs [v/x]P; and (3) write(s, e).P evaluates e and writes its value in the ref- 
erence s. The written value will be available in the following instant. Reading and writing are 
non-blocking operations, moreover a value written at a given instant persists unless a follow- 
ing write operation occurs. To ensure determinacy, we have to guarantee that at any instant 
at most one value is written in a reference. 

We model this situation by associating with each reference s a pair of signals (s,s'). The 
first signal s has a usage of kind 2 (one write and arbitrarily many reads) while the signal s' 
has a usage of kind 5 (one write and one read during the instant). A reference s containing 
the value x is simulated by the following recursive program: 



where the type of Ref is (Sig u (k) , Sig u i (k) , k) with u = (1, 00, oo) 1 ^ and u' = (0,1, 0) w . Thus 
on the signal s, Ref emits the current value of the reference while on the signal s' it waits 
for the value for the next instant. The usages we assign to the signals s and s' guarantee 
that arbitrarily many threads can read the reference but at most one can write it at any given 
instant. Formally, we can translate the three basic operations on references described above 
as follows: 



Ref(s,s',x) 



sx I s'(y). pause. Ref(s, s' , y), Ref(s, s' , x) 



(newref (s, e) P) 
(read(s, x).P) 
(write(s, e).P) 



us,s' (Ref(s,s',e) | 

£_(x).(P),0, 

s'e I (P) . 



4 In this system the 'else' branch of the input operator would become useless 
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Example 23 (clocks) We consider a kind of clock that still allows for a deterministic exe- 
cution^ The value of a clock is a natural number which is emitted on a signal, hence within 
an instant all threads can read the same clock value. At each instant, one or more threads may 
reset the clock value. The effect of this reset is visible in the following instant. To program a 
clock, we declare the unit type and the type of natural numbers: 

Unit oo{) — * 

NatooQ =Z\SofNatQ 

With each clock we associate a thread Clock whose behaviour and type is defined as follows: 
Clock(s,r,n) —sn | pause. Clock' (s, r, \r, n) 

Clock : (Sig u (Nat),Sig a , (Unit), Nat), u = (1, oo, oo) w , u' = (oo,0,l) w 

Clock' (s,r,l,n) = [£ > nil] Clock (s,r, S(n)), Clock (s,r, Z) 
Clock' ■ (Sig u (Nat), Sig n , (Unit), Seti(Unit), Nat) 

Note that the typing guarantees that the thread Clock is the only one that can emit the 
clock signal s and read the reset signal r. On the other hand, another thread using the clock 
may read the clock value on the signal s and may reset it in the following instant by emitting 
on the reset signal r. 

B Proofs 

B.l Proof of lemma [5] 

By induction on the typing rules. One uses several times the fact that ffi is associative and 
commutative both on types and contexts and the fact that the rules are formulated so that 
the conclusion still holds when the usages in the context T are increased (see, e.g., the rule 
(var)). 

B.2 Proof of lemma [6] 

The following lemma collects some preliminary remarks. 

Lemma 24 (1) IfT\-U:T,T'\-v: p, (T ffi V) j, and x £ dom(T) then 
(r©r) h [v/x]U : T . 

(2) IfT\~v:K then there is a neutral context V such that V h v : k and T = V © T" . 

(3) // T h v : p and p = p\ © ■ ■ ■ © p n then there exist F\, . . . , T n such that Ti ffi • • • © T n = T 
and Tih v : pi for i = 1, . . . , n. 

Proof (1) If x e FV(U) then the only possibility is that x £ FV(e) where se is a sub-term 
of U. But then one can type s[v/x]e exactly as one types se. So T h [v/x]U : T and we 
conclude by weakening. 

(2) We proceed by induction on v. For the inductive step, we use the fact that if c(v±, . . . , v n ) 
has a neutral type then the Vi must have a neutral type too. 

(3) If the type p is neutral then p = p\ = ■ ■ ■ = p n . By (2), we can find a neutral context 
r' such r h v : p and V ffi V" = T. Then it suffices to take Ti = V ffi F" and 1^ = T' 

5 Note that in the usual semantics of timed automata, the fact that two processes may atomically read and 
reset the same clock may produce race conditions. 
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for i = 2, ... ,n. If the type p is affine and either an inductive type or a set type then we 
must have n = 1 and the assertion follows immediately. Finally, if the type p is affine and 
a signal type then the usages of the signal in the types p\,...,p n allow to construct directly 
the contexts Y\, . . . , T n . □ 
Next, to prove the substitution lemma we proceed by induction on the typing of U. 

(var) Suppose Y,y : Op u (a) h y : Op u i(a) with u > v! . 

• If T = V",x : p and x ^ y then ((T",y : Opja)) © T')(y) = Op u „(a) with u" > u. Hence, 
by (var), (T",y: Op u )®T'hy: Op u ,. 

• If x = y then [v/x]y = v. If Op is not Sig then u = v! . By hypothesis, r' h v : Op u (a) 
and by weakening r" © V h v : Op u (a). On the other hand, if Op is Sig then, by (var), 
(T"®r')hv:Op u (a). 

(k) If k is a constant then apply weakening. Otherwise, suppose T,x : p = Tq © Ti © • • • © T n 
with h &i : Oi, i = 1, . . . , n. Let / = {i € {1, . . . , n} \ x E dom(Ti)}. If ? G / then assume 
Tj = : pi. We have /9 = ©jgj/Pj. By lemma 124^ 3). we can find 1^ such that h w : 

for i e I and F = ffijg/r-. If i £ I then Tj h [u/x]ej : (Tj, (cf. lemma and if i e I then 
(r^ ©T-) h [v/x]ei : Oi, by inductive hypothesis. 

This kind of argument is repeated several times for the remaining rules. As already pointed out 
in the proof of the weakening lemma El another important point is that the rules are built so 
that adding extra capabilities to the hypotheses in the context does not affect the conclusion. 
We just look in some detail at the rule [var s i g ] in the case where T, s : Sig xy ^(a) h [s] : Sig u (a), 
y^ > u, r' h s' : Sig xy u(a) and (r © T) |. Then T'(s) = s' : Sig u ,(a) with u' > xy". Hence 
T («') >y u >u. □ 



B.3 Proof of lemma [TT] 

By induction on the evaluation e JJ. v. If e is a signal s or a constant c then e = v and 
the conclusion is immediate. So suppose: e = fc(ei, . . . , e n ), /c : (a±, . . . , a n ) — > a, T = 
Tq © Ti © • • • © T n , Fi h e, : crj, and JJ- Vj, for i = 1, . . . ,n. By inductive hypothesis, 
Ti \- Vi : ai, for i = 1, . . . , n. If fc is a constructor c then v = c(ui, . . . , u n ) and r h u : a by 
the rule (fc). If fe is a function / then again by the rule (k), T h f(v\, . . . ,v n ) : a and, by 
hypothesis on /, we have that f(v\, . . . , v n ) JJ. f and r h « : a. □ 



B.4 Proof of lemma O 



(1) The effect of V(A(r)) is to replace each of occurrence of Is in r with V(s). First notice 
that if Is occurs in r then its usage cannot be of kind 5. Moreover, if it is of kind 1 or 2 then 
we can have several occurrences of Is in r and the type of the values emitted on the signal 
must be non-affine. Notice that to type a non-affine value, we just need a non-affine context 
and since non-affine types are (exactly the) neutral types, we can use this context as many 
times as needed. On the other hand, if the signal is of kind 3 or 4 then the values emitted on 
the signal can be affine but there can be no more than one occurrence of Is in r. 

Following these preliminary considerations, we proceed by case analysis on the rules \}s e t] 
and [!iisi]- 111 each case, one has a judgement of the shape: 

T,s : Sig u (a) h [Is] : Op x (a) 



18 



knowing that T' h V(s) = [v±; . . . ; v n ] : Op x (a), 

(2) By definition, V{A(n, . . . , r„)) = -A(V(ri), . . . , V(r n )). Supposed : (a lt . . . , a n ). We 
know that V{ ui entails that A{v\, . . . , v n ) as -A(iti, . . . , Hence, it is enough to show 
that that V(rj) V (ri) for i = 1, . . . , n. We proceed by induction on the structure of r. If 
r is a signal or a constant then by definition r ~ cr . r. If r is of the shape \s then we analyse 
the kind of usage of s. If it is of kind 2 or 4 then V(s) = V'(s) (there is at most one value in 
the lists). If it is of kind 1 or 3 then V(s) and V'(s) are equal up to permutation, and we rely 
on the definition of ~ on set types. Finally, if r = k(r) we apply the inductive hypothesis plus 
the definition of ~ on constructors if A; is a constructor and the hypothesis on the functions 
if k is a function. 

B.5 Residual context on auxiliary actions 

We specify the notion of residual context on auxiliary actions. The definition for the actions 
slv is similar to the one for the actions sv. On the other hand, for the actions (E, V), we 
have to analyse how a program exports and imports usages at the end of the instant. For 

instance, consider P = sTti | I A(lsi), and suppose P - > A(V(si)) where: 

E = [{h}/s 1 ,{t 2 }/s 2 \ V = [[t 1 ;t 3 ]/s 1 ,[t 4 ;t 2 ]/s 2 ] . 

The function E represents what P emits, the function V represents what P assumes to be 
emitted, moreover looking at the context T, we may determine what the process P may 
receive at the end of the instant (note that P may receive what it emits and that a value 
with an affine typing can be received at most once). In computing the residual context, we 
have to subtract what is exported to the environment while adding what is imported from it. 
Going back to our example, clearly the context T must specify that P may receive on s\ at 
the end of the instant. Suppose moreover that it specifies that P may not receive on s 2 - Then 
in computing the residual context, we have to subtract the usage for t 2 which is exported 
to the environment while adding the usage for t^ which is received from it. Following these 
considerations, we define: 

A(E,T) = ®{A(v,\)\r(s) = Stg u (\),veE( S ),u(0) 3 ^l} (export) 

A(V, = ®{A{v, a) | T(s) = Sig u {a),v £ V(s), u(0) 3 + 0} (import) 

Note that in the 'exported context' A(E,T) we only care about usages of values of affine 
type, as otherwise A(v,k) is neutral. On the other hand, in the 'imported context' we look 
at all the values regardless of their type. Indeed, v might have a neutral type but contain a 
fresh signal name and then we need to import a neutral context to type it. Also note that in 
the following definition [25| we actually focus only on the values that are not emitted (in E) . 

Definition 25 (residual context on auxiliary actions) Given a context T and an auxil- 
iary action aux the residual context T(aux) is defined as follows where is as in definition 

, \_J (r © { s '■ Sig U5 {cr')}) ffi A(v, a') ifT(s)=Sig u (cr'),aux = s?v, and (1) 
[aux) - | ^ r Q A ^ r ^ e g mx = ^ ^ ^ = v , 
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B.6 Proof of theorem 1131 



We proceed by induction on the proof of the transition and by case analysis on the action act 
which is performed. 

(sv) There is just 1 rule to consider: (in). Suppose F(s) = Sig u (a r ). The definition of the 
residual context provides an additional context A(v, a') © {s : Sig Uout (a')} which is just what 
is needed to type sv. 

(s?v) There are 3 rules to consider: (in aux ), (comp), and (v). We just look at the first one. 
Suppose (ri©r 2 ) h s(x).P,K, Ti h s : Sig u (a'), u(0) 2 ^ 0, T 2 ,x :a f hP, and ri©r 2 h [K]. 
Note that necessarily u > Ui n . By construction, A(v,a') h v : a'. By the substitution lemma 
[6l r 2 ffi A(v, o"') h [u and then it is enough to apply weakening to get the residual context. 

(ut : a sv) There are 5 rules to consider: (out), with a special treatment for kind 5, ( out ), 
(v ex ), (comp), and (v). 

(t) There are 8 rules to consider: (synch), (rec), (=f 5 ), (=™ d ), (comp), and (v) for i = 1,2 
We just look at the first two. 

(synch) Suppose: Pi vt ' psv '> p^ p 2 -ii!^ p^ r f |- p i5 f or j = 1 ? 2, and (ri ©T 2 )(s) = Sig u (a'). 
By inductive hypothesis, we have: 

(r lf t : p) e A(v,a') © {s : % U5 (</)} h P{ and 
(r 2 ®A(v,o-')e{s:Sig U5 (o-')}\-P> 

Recall that here u may be of kind 2 or 5 and that in the first case U5 is neutral. In both cases, 
we get (Ti © r 2 ),t : p h (P[ \ P 2 ), and we conclude applying the typing rule (v). 

(rec) Suppose A : (<7i, . . . , a n ), Ti h e, : cij, JJ- i^, for i = 1, . . . , n. By lemma [TT| Tj h : cij. 
By hypothesis, we know that if A(x\, . . . , x n ) = P then x\ : a±, . . . , x n : a n h P. Thus, by 
iterating the substitution lemmaEl we get, as required, Ti © • • • © T n h [vi/x±, . . . , v n /x n ]P. 

(E, V) There are 5 rules to consider: (0), (reset), ( reset ), (cont), and (par). We focus on the 
last two. 

(cont) Suppose s(x).P,K ^' v \ V(K) and T h s(x).P,K. Then T h [K\. We rely on lemma 
[T2Tl). We build the context V in the lemma by taking IT" = A(V,T) which is uniform added 
to a context V" which just provides the usages to emit in the first instant the values in V on 
the signals in dom(V). 

(par) Suppose: T = (T ± © T 2 ), T h (P\ \ P 2 ), (P l \ P 2 ) {ElUE ^ V ', (p{ j r * h P u 

Pi - — -> P/, for ? = 1,2. Following the definition of residual context, define for i = 1,2: 

Ex Vl = A(E % , Ti) Ex Pl 2 = A(£i U £ 2 , I\ © T 2 ) 

Jroft = A(VA^,rO Im Pl2 = A(V\(E 1 UE 2 ),T 1 ®T 2 ) 

r'i =t r 4 e fep, © imp, r =f (ri © r 2 ) © Exp 12 © /mp 12 

We want to show T' = T^ © T' 2 . We proceed, by analysing the contribution of each value 
v G ^(s) such that T(s) = Sig u (a) to the computation of lmp { , Impi 2 , Expi, and Exp 1 2 . We 
use the notation, e.g., Imp 1 (v) to denote the contribution of the value v to the computation 
of the context Imp^. 
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• If a is non-affine then, for i = 1, 2, impj, and /m^ 2 are neutral contexts while Pxpj and 
Exp i 2 are empty contexts. Up to symmetries, v can be received either by (i) Tj, i = 1,2 or 
(ii) I^ and T 2 and emitted either by (i) Ei (1E 2 , or (ii) Ei\E 2 , or (hi) E 2 \E\, or by (iv) the 
environment. One proceeds by case analysis (8 situations). 

• If a is affine then the usage u must be of kind 3 or 4 and at the end of the instant the 
signal s may be read, exclusively, either by (i) Tj, i = 1,2 or by (ii) the environment. On the 
other hand, v may be emitted either by (i) {E\ n E 2 ), or by (ii) (Ei\E 2 ), or by (iii) (E 2 \Ei) 
or by (iv) (V\(E\ U E 2 )). If v € (Pi n E 2 )(s) then A(v, cr) must be neutral for otherwise the 
addition is not defined. One then proceeds by case analysis (8 situations). Note that if the 
environment receives v then the import contexts iropj, Imp l 2 are empty while if T{ receives 
v then Exp i is empty. 

(N) There is just 1 rule to consider: (next). Suppose T h P and P y us : p P" . Clearly, a 
typing of, say, (us : p Q\) \ Q 2 can be transformed into a typing of us : p (Qi j Q 2 ). Thus 

r h us : p P" and T,s : p h P". By definition of the rule (necf), P" P' with V 

By inductive hypothesis and weakening, | (I\s : p) h P'. Thus j (r) h z/s :f p h P'. □ 

B.7 Proof of proposition [T51 

We show that the following indexed relation is a typed bisimulation: 

PlZvQ if P, Q e Pr(T) and P w Q . 

Suppose PTZrQ, P Q, and 6n(a) n/n(Q) = 0. Then: 

P ^ P' (by definition of typed transition) 

r(a) h P' (by subject reduction) 

Q ^ Q',P' ~ Q' (by untyped bisimulation) 

T(a) h Q' (by subject reduction) 

Hence we can conclude that P' TZr(a) Q' ■ n 
B.8 Proof of lemma [T6l 

(1) An inspection of the labelled transition system in table [2] reveals that two r reductions 
may superpose only if they are produced by two synchronisations on the same signal name, say 
s. In this case, s must have a usage of kind 2 or 5. In a usage of kind 2, the typing guarantees 
that there is at most one value emitted on s so that we are roughly in the following situation: 

P = C[s(x).P 1 ,Q 1 | s(x).P 2 , Q 2 | se] 

Because a signal emission persists within an instant, it is possible to close the diagram in one 
step. On the other hand, in a usage of kind 5 there can be at most one receiver and therefore 
no superposition may arise. 

(2) We show that ~» is a typed bisimulation. If P = Q nothing needs to be proved. 

bo suppose P — ■+ Q. Clearly, P can weakly simulate all actions Q may perform just by 

performing initially an extra r step. So suppose P P'. Note that a ^ N since P may 
perform a r action. 
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a = t In this case, we apply (1) noticing that -^>C=S». 

a = sv In this case, P' = (P \ sv) and we can close the diagram by performing Q (Q \ sv). 

a = vtsv Again, because a value emitted on a signal persists, it is equivalent to use it in an 
internal synchronisation and then again to extrude the value to the environment or the other 
way around. □ 

B.9 Proof of lemma [171 

By subject reduction we know that j (r) h Pj. If we can show that Pi ~ P2 then by 
proposition[T5]we can conclude. According to the rule (next) of the labelled transition system, 
we must have for i = 1,2: 

P t vsi P', si permutation of s 2 , P' P", V { \\-E, Pi = vsiP- . 
Then lemma WM?) and fact [2] guarantee that P{' w P% and Pi w P 2 . □ 

B.10 Proof of theorem 1181 

The proof is a direct diagram chasing relying on lemma fT6lf 2) . [T71 and the definition of typed 
bisimulation. □ 
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